The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.
The GDPR is a new legalframework from the EU that takes effect on May 25, 2018. It's an updated version of the Data Protection Directive.
This law is designed to accomplish two main things:
Regardless of where in the world your business is located, the GDPR applies to any business that does one or both of the following:
This means that a business located in Canada that only collects phone numbers for text message marketing to people in the EU will be required to comply with the GDPR.
While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well.
Each role has specific requirements that you'll also need to be aware of.
For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data.
Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data.
In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.
The GDPR requires that users are provided with thorough information about how their personal data is processed.
According to Article 12 of the GDPR, you need to let people know about how you process personal data in the following ways:
Remember that under the GDPR, you need to communicate your data collection and processing procedures in a way that's concise, transparent, intelligible and in clear and plain language.
Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.
Note that each point doesn't have to be a separate clause. As long as the information is somewhere in your Policy, it will work.
The data controller will likely be your business, unless your business operates as a data processor for other companies.
If you have a Data Protection Officer, add in specific contact information for your users to contact this person directly with issues related to privacy.
Your users need to know why you're collecting and using their personal data. Be as specific as possible here when disclosing your practices.
Most of these rights involve things like the right to access data, request changes, deletions and corrections.
For example, if you collect email addresses, give users a chance to see what one/s you have on file, give them a way to delete their email address and allow them to update or change it.
If you use personal data to make automated decisions - such as for credit scoring, loan screening, profiling users or making employment decisions - you need to disclose this to users.
You can let users know that you don't do this if you want, but it's not required.
If your business transfers personal data to a different country or international organization, you need to let users know this.
Include one of the following as well:
An explanation of the "suitable safeguards" you have in place for the transfer (such as binding corporate rules, contractual provisions, etc.). Let your users know how they can go about requesting a copy of your safeguard information.
Under the GDPR, you need to have a lawful basis for processing any personal data. There are six available lawful bases, and each piece of data you process needs to fall under one of the six categories.
The most common two would be:
This requirement will likely be met through a combination of your clauses that cover what personal data you're collecting and how you're using the data.
You should always get consent for the data you wish to collect. Not only will that meet the requirement of a legal basis to collect, but it's also a general requirement under the GDPR.
Before you collect basic personal information (email addresses, names, financial information, etc.), you'll need to get clear, unambiguous affirmative consent.
Before collecting sensitive personal information (sexual orientation, health data, political/religious views, etc.), you'll need to get explicit consent.
There's something else you can do satisfy the enhanced requirements under the GDPR: Provide Privacy Notices.
A Privacy Notice is a simple yet informative notice that lets a user know why you're collecting data. These notices can be added to places on your website or mobile app where you're requesting to collect user data, such as at a field where a user can enter an email address.
For example, uSwitch asks users for an email address and a phone number - both of which are considered to be protected personal information under the GDPR.
Next to the fields where this information is requested, there are small question mark icons that users can click for more information via a Privacy Notice.
When a user clicks on the question mark, he's presented with a short notice that lets users know - in clear, basic language - why that piece of information is being requested. Here, it's so that uSwitch can email a copy of comparison results to the user.
This type of notice is referred to as a just-in-time notice.
It's easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way.
Here are a couple of examples of Privacy Policies that would meet GDPR requirements by being user-friendly and informative.
It continues on with a clause that covers how the information is used.
However, you can start to see more transparency than most Privacy Policies when you get to the section about how Mouseflow shares information.
This section is broken down into two types of information that will be shared:
This is important because the GDPR and other privacy laws only apply to personally identifiable information.
Mouseflow points out specifically for EU clients that it complies with the EU Data Protection Directive requirements.
Pipedrive is very specific with disclosing how it uses information it collects. This helps satisfy the lawful basis and legitimate interest requirement of the GDPR.
You can see that it includes operations, improvements and communications - all of which are legitimate business purposes.
Pipedrive includes a section about user choices when it comes to user data. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR.